by Mike Snider, USA TODAY

by Mike Snider, USA TODAY

With news this week that as many as 1.2 billion user names and password combinations had been stolen, security experts are urging consumers to be more vigilant online.

A Russian cybergang injected malicious code into at least 420,000 websites to gather the data. The attack "looks absolutely enormous," said Geoff Webb, senior director of security and strategy at NetIQ, a computer security company based in Houston. "It's yet another example showing that there's lot of work to be done in making the Web-based applications that people use secure."

Because people tend to use the same password on multiple sites, "when a medium-sized breach occurs, it can have major repercussions because those passwords are used on so many systems," Webb said. "And this is a huge breach."

Some of the e-mail and password combinations may be old and no longer in use, so it may not be necessary for users to change their passwords, said Alex Holden, founder and chief information security officer for Hold Security in Milwaukee. "The last thing we want is to panic the marketplace," he said.

Potential victims can register at HoldSecurity.com to see whether their e-mail addresses are among those compromised. The company says in the coming days it plans to let them know for free if their credentials have been found in possession of the gang, which Hold Security has deemed CyberVor ("vor" means "thief" in Russian).

"The takeaway from all of this: It's time to change your password again," says security expert Phil Lieberman, CEO of Lieberman Software.

Poor password practices can make a breach like this one exponentially troublesome, he says, because "the reuse of passwords across multiple sites, means that the bad guys effectively have the keys to the door of multiple personal accounts once they have login credentials for just one site."